Terms and Conditions for Cyber Threat Management eXchange (CTMX)

Download PDF

The following terms and conditions set forth the terms for membership in the CTMX.  As a participating member of the CTMX (“Member” or “you”), you agree that you will share information through the CTMX in accordance with the terms set forth below. If you do not qualify as a CTMX member or cannot agree to the terms as set forth herein, please contact CTMX for further discussion.

  1. Definitions

Data: the information shared by either CTMX or any Member in accordance with these membership terms and conditions.

CTMX:  CTMX is operated to support information sharing among cybersecurity professionals.

Member:  A qualifying person under CTMX that has agreed to these terms and conditions. 

2. CTMX Purpose. The CTMX has been established to facilitate the sharing of cyber Data among CTMX Members, and others as appropriate, in order to facilitate communication regarding cyber readiness and response efforts. These efforts include, but are not limited to, disseminating early warnings of cyber threats, sharing security incident information between Members, providing trends and other analysis for security planning, and distributing current proven security practices and suggestions.

3. CTMX Membership. Membership in the CTMX is limited to those currently in job roles in cyberthreat management.

4. Operation of the CTMX. The CTMX is focused on enhancing the cyber security readiness and response of public and private sector entities.  CTMX may also retain contractors from time to time to provide services to the CTMX and its Members.

5. Data Protection. CTMX and Member both acknowledge that the protection of shared Data is essential to the security of both Member and the mission of the CTMX. The intent of the Data protection terms are to: (a) enable Member to make disclosures of Data to CTMX while still maintaining rights in, and control over, the Data; and (b) set common information sharing protocol that will determine the extent to which Data can be shared with others. Nothing in these terms and conditions grants CTMX or Member an express or implied license or an option on a license, or any other rights to, or interests in, the Data.

6. Data Sharing Protocol.  All Data provided by any CTMX Member or CTMX shall include an information sharing designation in accordance with the US CERT Traffic Light Protocol (TLP), as set forth below.  In the event that Data is shared by the Member or CTMX and such Data does not include a TLP designation, it shall be considered as having been designated TLP Amber unless and until subsequently, the entity sharing the Data otherwise specifically changes the designation. Notwithstanding the foregoing, unless a Member designates in writing that the Data in question cannot be shared or that such sharing is subject to stated restrictions, all Data provided by Members may be shared with other CTMX members provided that the Data is anonymized and not attributable to Member. 

tlp.png

7. Other Data Designation. CTMX and Member acknowledge that certain Data may also be designated with a notice of patent, copyright, trade secret or other proprietary right and CTMX and Member each agree not to remove, alter or obscure any such designation without the prior written authorization of party sharing the Data.

8. Data Retraction. If a Member retracts any Data it sent to the CTMX, then, upon notification by the Member, the CTMX will delete such Data and all copies thereof, and as applicable, notify other CTMX Members and its federal partners to delete the Data.  Upon receiving such notification, CTMX Members will delete such information and all copies thereof. If an CTMX Member is unable to delete the Data based on applicable law, then that Member will continue to maintain the confidentiality of the Data consistent with the TLP designation assigned to the Data. 

9. Demand for Data. If any third party makes a demand for any Data, the CTMX or any other Member receiving such a demand shall immediately forward such request to the Member who shared the Data and consult and cooperate with that Member and will make reasonable efforts, consistent with applicable law and the applicable TLP designation, to protect the confidentiality of the Data. The Member sharing the Data will, as needed, have the opportunity to seek judicial or other appropriate avenues of redress to prevent any release. 

10. Reports Containing Data. As part of its elections information sharing efforts, the CTMX may prepare written reports that include or are based on TLP Red Data shared by Member. For such reports, the TLP Red Data will be anonymized and Member shall be provided a period of time to review such reports, papers, or other writings and has the right to review to correct factual inaccuracies and make recommendations and comments to the content of the report. The CTMX and Members agree to work together in good faith to reach mutually agreed upon language for the report.  If the parties are unable to reach agreement on an issue, the Member has the right to edit out its Data.

11. Confidentiality. Each party shall hold in strict confidence, and will not use or disclose to any third party, other than on a confidential basis to its and its affiliate's directors, officers, employees, consultants, agents and representatives with a need to know such information and who are subject to obligations of confidentiality at least as stringent as those set forth herein (but in no case less than those reasonably employed to protect a company's confidential information) to effectuate the parties' mutual intent hereunder, any confidential or proprietary data or information obtained from the disclosing party, or to which the receiving party has access, including without limitation with respect to the disclosing party's business or financial condition, technical or sales information, customer lists or otherwise (collectively, the "Confidential Information"). Information generally known in the industry or otherwise publicly available at the time of disclosure, information that a party can demonstrate was lawfully in its possession prior to the date of disclosure, information which has been disclosed by third parties which have a right to do so, or information developed independently by the receiving party without reference to or use of the Confidential Information, shall not be deemed Confidential Information for purposes of this Section 11. Each party's obligations pursuant to this Section 11 shall survive the termination of this Agreement for any reason. Information, (ii) protect against any anticipated threats or hazards to the security or integrity of such Confidential Information, (iii) protect against unauthorized access to or use of such Confidential Information that could result in harm or inconvenience to the disclosing party or its customers and (iv) where possible, ensure the complete, secure and permanent disposal of such Confidential Information, except where required by applicable law. Each party shall notify the disclosing party promptly if there is any actual or reasonably suspected (a) unauthorized or unlawful access to or disclosure of any Confidential Information, or (b) unauthorized access to any facility, computer network or system containing any Confidential Information (collectively, "Security Incidents"). Where a Security Incident has occurred, the breached party shall promptly take all steps necessary to mitigate the damages caused by the Security Incident. If CTMX Processes any Personal Information as part of its performance under this Agreement, CTMX shall comply with all applicable privacy regulations as prescribed by the Office of the Comptroller of the Currency. ”Personal Information" means any information provided by or for Member and Processed by CTMX under the Agreement (i) that identifies or can be used to identify, contact or locate the individual person to whom such information pertains or (ii) from which identification or contact information of an individual person can be derived. Personal Information includes, but is not limited to: name, postal address, email address, phone number, national identification number or other government-issued identifier, and credit card information. Additionally, if any other information (for example, a unique identifier, password or IP address) is associated or combined with Personal Information, then such information is also Personal Information. "Processing" means holding or performing any operation or set of operations upon data, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting or destroying the data, and "Process" and "Processed" shall be construed accordingly. CTMX represents and warrants that all Members, staff, contractors and consultants are bound by substantially similar obligations of confidentiality and restrictions regarding use of information as those set forth herein. The parties acknowledge that improper disclosure of Confidential Information may cause irreparable injury to the disclosing party, and that remedies at law for any such breach could be inadequate. In the event of a breach or threatened breach, the disclosing party has the right to seek injunctive relief (in addition to any and all other remedies available at law or equity) without the need to post a bond or other security, or demonstrate the confidential nature of its Confidential Information.

12. Force Majeure. Neither party shall be held financially or otherwise responsible for any delay or failure in performance under this Agreement, which is caused by the unavailability of third-party communications facilities, fires, strikes, embargoes, government requirements, civil or military authorities, acts of God, acts by terrorists or terrorist organizations or by the public enemy or other similar causes beyond the reasonable control and without the fault or negligence of such party.

13. Indemnification. (a) Each Party shall indemnify, defend and hold harmless the other Party and its respective directors, officers, employees and agents, from and against any claims, losses, damages or expenses (including reasonable attorney fees, expenses and disbursements) by third parties pertaining to the actual or alleged infringement of any intellectual property right, including, without limitation, patents, copyrights, trademarks, service marks, or misappropriation of trade secrets or any similar property rights, arising from the indemnified Party accessing, using or distributing information provided by the indemnifying Party, while in accordance with the terms and conditions of this Agreement. (b) In the event of any claim or suit relating to any matter for which one party has agreed to provide indemnification under this Agreement, the indemnified party shall promptly provide notice of such claim or suit to the indemnifying party. The indemnifying party shall then have the sole right to control the conduct of the claim or suit and the indemnified party shall reasonably cooperate in the conduct of such claim or suit at the expense of the indemnifying party; provided, however, that the indemnified party may, in its own discretion and at its own expense, participate in the defense of any claim including counsel of its own choosing but such participation shall not relieve the indemnifying party of its obligations to defend such claim. In no event, however, may there be a settlement of any such claim or suit without the written consent of the indemnified party. The indemnified party has the sole and exclusive authority to enter into any settlement that would impose an injunction or any other equitable relief on the indemnified party.

14. Limitation of Liability. IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS) ARISING FROM ACTS UNDER THIS AGREEMENT EVEN IF SUCH PARTY OR MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CTMX’S MAXIMUM LIABILITY TO MEMBER UNDER THIS AGREEMENT SHALL BE LIMITED TO THE AMOUNTS PAID BY MEMBER TO CTMX UNDER THIS AGREEMENT. NOTWITHSTANDING THE FOREGOING, NO LIMITATION OF EITHER PARTY'S LIABILITY SHALL APPLY WITH RESPECT TO ANY CLAIMS BASED ON SUCH PARTY'S FRAUD, WILLFUL MISCONDUCT OR GROSS NEGLIGENCE, INDEMNIFICATION OBLIGATIONS, OR BREACHES OF CONFIDENTIALITY.

15. Assignment. Neither party may assign this Agreement, or its rights and obligations hereunder, without the prior written consent of the other party except that Member may assign this Agreement or any rights or obligations hereunder to a parent, subsidiary or affiliate upon written notice to CTMX. This Agreement shall be binding upon, and inure to the benefit of, the parties and their respective successors and permitted assigns.

16. Term and Termination of Membership. his Agreement is effective from the date of acceptance of this Agreement by CTMX and shall automatically renew annually unless terminated by either party. Notwithstanding anything to the contrary contained herein, Member may terminate this Agreement without cause at any time.

17. Survival. The provisions of Sections 5-9 and 11-13 shall survive the expiration or earlier termination of this Agreement or any portion thereof.

18. Severability. Should any court of competent jurisdiction consider any provision of these terms and conditions to be invalid, illegal, or unenforceable, such provisions shall be considered severed from these terms and conditions. All other provisions, rights, and obligations shall continue without regard to the severed provision(s).

19. Entire Understanding. These terms and conditions contain the entire understanding between CTMX and Member with respect to the proprietary information described herein and supersedes all prior understandings whether written or oral.